Estate and letting agents in the UK are six months away from the introduction of the EU-wide General Data Protection Regulation (GDPR).
These will require all businesses that handle personal data to implement a far more rigorous protection regime than we have seen previously.
Is the industry ready? Anecdotally and through my discussions with colleagues, partners and customers, I’d say most are certainly keeping up with the curve. In some areas I think agents are ahead of it.
However, the all-encompassing nature of the legislation carries inherent risk, whether you’re an online operator and not sure whether you’re a data controller or data processor; a nationwide chain with a specialist data officer struggling to standardise the organisation’s many tentacles; a high street independent with one or perhaps a few branches; or a small family-owned lettings business.
With this mix in mind, here are my top ten tips on how agents of all specialisms and sizes should be thinking about GDPR with six months to go:
- Get the basics right
Your agency’s basic digital system must be secure. If this isn’t in place, none of your more high-tech preparation is worthwhile. Whether a device (for example a personal computer or mobile phone) is connected to an intranet, the internet or nothing at all, it must be password protected.
Likewise, each branch’s internet connection and servers must be secure, so check what your service provider has in place.
Free wifi for visitors to your branch absolutely must be via a separate network, not the one your staff use.
- Share the burden with the cloud
The physical security of data in a data centre is always going to be stronger than anything an individual agent could achieve with a local network.
Off-premises, cloud-based solutions put agents in a better place in terms of GDPR because much of the burden is shared with or passed to the provider.
It’s time for agents to think about moving anything installed locally to a private cloud service.
- Build GDPR into every process
Data protection needs to be in the default design of all agency processes.
If you scan a hard copy with details of a let, where does the hard copy go next?
Where is the new PDF saved? Is it hosted online?
All of this is need-to-know information.
Likewise, websites with contact forms now require far greater security. If a potential customer simply sends in their name and email address, this process needs to adequately protect their details.
- Bring your suppliers in line
Most agents regularly share customer data with trusted suppliers such as lawyers or property maintenance companies.
Under GDPR, the interfaces and connections to your suppliers should be firewall and password protected.
In addition, ask your suppliers about their own data security to make sure it’s as strong as you would like. You also need to know that services you might use such as Google Drive and MailChimp are secure.
- Get explicit permission from customers at every stage
Under GDPR, personal privacy is the default.
Agents need explicit permission from a customer for everything their data is used for and every point of contact.
For example, a customer who has agreed to hear from you in the form of a brochure has not consented to be contacted about their home insurance. This could drastically impact the ways we currently market and cross-sell products. Customers and potential customers need to opt-in at every stage.
- Remove personal identifiers
Data that can identify your customers needs to be pseudonymised.
Datasets must be connected with, for example, a reference number rather than personal identifiers. In practical terms, this means that the details of a let (e.g. how much money a customer owes) must be identifiable only via a unique number rather than the customer’s name.
- Plan for a breach
Any processor of personal data that suffers a breach needs to be able to inform both the data controller and the customers affected within 72 hours.
Put in place a protocol for doing so, whilst ensuring that you closely monitor your systems, firewalls, spam filters and connections.
- Get ready to press delete
Data is valuable and in recent years we’ve been focused on how to collect and make use of it.
Now we need a procedure for getting rid of every trace. Customers have the right to ask an agent to delete all information you hold on them – to ‘forget’ them.
It’s your responsibility to make sure that this is completed by your agency and all partners and suppliers, including cloud hosts who may have multiple copies. The more unified and automated this process can be, the better.
- Use software to share
Individual customers can also request that you transfer their data to a different supplier, even if this is a rival business.
Their data needs to be stored in a way that allows you to easily provide a copy of any information you hold on that customer. This is markedly easier for agents who have or buy-in an industry-grade software platform.
- Don’t overlook physical security
There’s a tendency to think GDPR is all about intangible data sets tucked away on servers or floating in the cloud. It’s imperative that basic lock-and-key security doesn’t get left behind.
Make sure that all branches and offices are secure, and that physical copies of any personal data are kept in locked cabinets. A Filofax or USB stick of phone numbers are just as vulnerable as an online database. If you’re leaving lists of customers out on desks overnight, you’re not ready for GDPR.
If the rigours of GDPR ever feel prohibitive, I try to view them through the lens of their value to me as an individual rather than as an agent.
It helps to understand that GDPR protects us, our colleagues and our customers, even as they require changes to how our businesses must handle data.
Fundamentally, preparing for GDPR is about being diligent and thorough. If agents are fully compliant with existing legislation, then you are already part of the way there. But under the new rules, in addition to auditing your own processes and security, achieving customer opt-in at every stage and understanding the ways that suppliers and partners work will be key.
Vik Tara is the CTO of Technology Blueprint Ltd (TBL), a proptech consultancy